Any plan to address CVE-2020-11979 in org.apache.ant

[Jerico Pena]

Hello All,

I am currently using the excellent example for unit testing job del provided below and recently noticed that a CVE exists for ant which is caused by the version of groovy that Spock uses. Is there any plan to address this vulnerability?

https://github.com/jenkinsci/job-dsl-plugin/blob/master/docs/Testing-DSL-Scripts.md

https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHEANT-1015405

Upgrade org.apache.ant:ant to version 1.10.9 or higher.

I have tried upgrading the version of Spock and groovy in the build.gradle file, but the job dsl tests fail with the following error. I don't have enough knowledge of the Jenkins code base to know if this is an easy fix or if it requires some fundamental change.

Any thoughts or input would be greatly appreciated.

Thanks,

Jerico Pena

```

Expected no exception to be thrown, but got 'java.lang.IllegalStateException'
at app//spock.lang.Specification.noExceptionThrown(Specification.java:118)
at com.example.JobScriptsSpec.test script #file.name(JobScriptsSpec.groovy:46)
Caused by: java.lang.IllegalStateException: Jenkins.instance is missing. Read the documentation of Jenkins.getInstanceOrNull to see what you are doing wrong.
at jenkins.model.Jenkins.get(Jenkins.java:819)
at javaposse.jobdsl.plugin.JenkinsJobManagement.requireMinimumPluginVersion(JenkinsJobManagement.java:326)
at javaposse.jobdsl.plugin.JenkinsJobManagement.requireMinimumPluginVersion(JenkinsJobManagement.java:321)
at script.run_closure1$_closure2(script:5)
at script.run_closure1$_closure2(script)
at javaposse.jobdsl.dsl.ContextHelper.executeInContext(ContextHelper.groovy:16)
at javaposse.jobdsl.dsl.Project.scm(Project.groovy:194)
at script.run_closure1(script:4)
at groovy.lang.Closure.call(Closure.java:427)
at groovy.lang.Closure.call(Closure.java:416)
at javaposse.jobdsl.dsl.JobParent.processItem(JobParent.groovy:248)
at javaposse.jobdsl.dsl.JobParent.freeStyleJob(JobParent.groovy:47)
at script.run(script:1)
at javaposse.jobdsl.dsl.AbstractDslScriptLoader.runScript(AbstractDslScriptLoader.groovy:138)
at javaposse.jobdsl.dsl.AbstractDslScriptLoader.runScriptEngine(AbstractDslScriptLoader.groovy:108)
at javaposse.jobdsl.dsl.AbstractDslScriptLoader.runScripts_closure1(AbstractDslScriptLoader.groovy:61)
at groovy.lang.Closure.call(Closure.java:427)
at groovy.lang.Closure.call(Closure.java:416)
at javaposse.jobdsl.dsl.AbstractDslScriptLoader.runScripts(AbstractDslScriptLoader.groovy:46)
at javaposse.jobdsl.dsl.AbstractDslScriptLoader.runScript(AbstractDslScriptLoader.groovy:87)
at com.example.JobScriptsSpec.test script #file.name(JobScriptsSpec.groovy:42)

```